to protect, not because these users are lazy but because these users are well motivated and trying to do their jobs. When security gets in the way, users switch it off and work around it, designers avoid strong security, and administrators make mistakes in using it.

It is true that in the design of any computer system, there are inevitable trade-offs among various system characteristics: better or less costly administration, trustworthiness or security, ease of use, and so on. Because the intent of security is to make a system completely unusable to an unauthorized party but completely usable to an authorized one, there are inherent trade-offs between security and convenience or ease of access.

One element of usable security is better education. That is, administrators and developers—and even end users—would benefit from greater attention to security in their information technology (IT) education, so that the concepts of and the need for security are familiar to them in actual working environments (Box 6.1). In addition, some aspects of security are necessarily left for users to decide (e.g., who should have access to some resource), and users must know enough to make such decisions sensibly.

The trade-off between security and usability need not be as stark as many people believe, however, and there is no a priori reason why a system designed to be highly secure against unauthorized access cannot also be user-friendly. An example case in which security and usability have enhanced each other in a noncybersecurity context is that of modern hotel room keys. Key cards are lighter and more versatile than the old metal keys were. They are easier for the guests to use (except when the magnetic strip is accidentally erased), and the system provides the hotels with useful security information, such as who visited the room and whether the door was left ajar. Modern car keys are arguably more secure and more convenient as well.

The committee believes that efforts to increase security and usability can proceed simultaneously for a long time, even if they may collide at some point after attempts at better design or better engineering have been exhausted. Many of the usability problems of today have occurred because designers have simply given up too soon, before serious efforts have been made to reconcile the tension. All too often, the existence of undeniable tensions between security and access is used as an excuse for not addressing usability problems in security.

One part of the problem is that the interfaces are often designed by programmers who are familiar with the technology and often have a level of literacy (both absolute and technical) well above that of the average end user. The result is interfaces that are generally obvious and well understood by the programmers but not by the end users. Few programmers even have awareness of interface issues, and fewer still have useful train-

The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement